Analysis
-
max time kernel
150s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:46
Static task
static1
Behavioral task
behavioral1
Sample
CONSIGNEE BL. NO GLNL20063871.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CONSIGNEE BL. NO GLNL20063871.exe
Resource
win10v2004-20220414-en
General
-
Target
CONSIGNEE BL. NO GLNL20063871.exe
-
Size
392KB
-
MD5
eafb5ecce79a78ff6f61de7830e3c492
-
SHA1
f6d454e65aabcf2ee7c13eb01b776e2d557bf30f
-
SHA256
841418cdd1e9639a6a192eb8f9fd9881f042f49a7cb2bd3463a8a6964a424b50
-
SHA512
99a64b81a8dbe8ae3a2f2601111fbf52f94cf496d4475b2635862ae6473a81e8d1faa5b69b941d0d0e0c361b2a39ea731033143c6cdad45ac8c6295381e5ca35
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.daiphatfood.com.vn - Port:
587 - Username:
supin@daiphatfood.com.vn - Password:
jn&6kG~_w;;A
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1124-137-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CONSIGNEE BL. NO GLNL20063871.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation CONSIGNEE BL. NO GLNL20063871.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
CONSIGNEE BL. NO GLNL20063871.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CONSIGNEE BL. NO GLNL20063871.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CONSIGNEE BL. NO GLNL20063871.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CONSIGNEE BL. NO GLNL20063871.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CONSIGNEE BL. NO GLNL20063871.exedescription pid process target process PID 3020 set thread context of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CONSIGNEE BL. NO GLNL20063871.exepid process 1124 CONSIGNEE BL. NO GLNL20063871.exe 1124 CONSIGNEE BL. NO GLNL20063871.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CONSIGNEE BL. NO GLNL20063871.exedescription pid process Token: SeDebugPrivilege 1124 CONSIGNEE BL. NO GLNL20063871.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
CONSIGNEE BL. NO GLNL20063871.exedescription pid process target process PID 3020 wrote to memory of 5068 3020 CONSIGNEE BL. NO GLNL20063871.exe schtasks.exe PID 3020 wrote to memory of 5068 3020 CONSIGNEE BL. NO GLNL20063871.exe schtasks.exe PID 3020 wrote to memory of 5068 3020 CONSIGNEE BL. NO GLNL20063871.exe schtasks.exe PID 3020 wrote to memory of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe PID 3020 wrote to memory of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe PID 3020 wrote to memory of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe PID 3020 wrote to memory of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe PID 3020 wrote to memory of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe PID 3020 wrote to memory of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe PID 3020 wrote to memory of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe PID 3020 wrote to memory of 1124 3020 CONSIGNEE BL. NO GLNL20063871.exe CONSIGNEE BL. NO GLNL20063871.exe -
outlook_office_path 1 IoCs
Processes:
CONSIGNEE BL. NO GLNL20063871.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CONSIGNEE BL. NO GLNL20063871.exe -
outlook_win_path 1 IoCs
Processes:
CONSIGNEE BL. NO GLNL20063871.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CONSIGNEE BL. NO GLNL20063871.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CONSIGNEE BL. NO GLNL20063871.exe"C:\Users\Admin\AppData\Local\Temp\CONSIGNEE BL. NO GLNL20063871.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abzwxpuJVYDQjR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44B5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\CONSIGNEE BL. NO GLNL20063871.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CONSIGNEE BL. NO GLNL20063871.exe.logFilesize
507B
MD576ffb2f33cb32ade8fc862a67599e9d8
SHA1920cc4ab75b36d2f9f6e979b74db568973c49130
SHA256f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310
SHA512f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e
-
C:\Users\Admin\AppData\Local\Temp\tmp44B5.tmpFilesize
1KB
MD539ec1b11b79c372cc850c770687a2726
SHA15d2a50df8e18390947c404aa0b0b877056bffd38
SHA256baff83293aed7128af959757fa3f694e8d95bb28e7ba58b869a60277717062a9
SHA512435841a1ee5f7d553ae1f14bdb11c24eec55f0402eda8e73194cb3287d8117790a0d6ceb18673ade2b012d09f8c2015ef177bdd08d405c08aa498e3c173dce65
-
memory/1124-136-0x0000000000000000-mapping.dmp
-
memory/1124-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1124-139-0x0000000005C80000-0x0000000005CE6000-memory.dmpFilesize
408KB
-
memory/1124-140-0x00000000062C0000-0x0000000006310000-memory.dmpFilesize
320KB
-
memory/3020-130-0x00000000001A0000-0x0000000000208000-memory.dmpFilesize
416KB
-
memory/3020-131-0x00000000051D0000-0x0000000005774000-memory.dmpFilesize
5.6MB
-
memory/3020-132-0x0000000004C20000-0x0000000004CB2000-memory.dmpFilesize
584KB
-
memory/3020-133-0x0000000005A90000-0x0000000005B2C000-memory.dmpFilesize
624KB
-
memory/5068-134-0x0000000000000000-mapping.dmp